26 March 2016

How often during an average week in your role do you make a "Trust Decision"? When you think about the factors associated with what really is going on when you make a decision to trust, it is beyond comprehension. Or is it?

The thousands of "Trust Decisions" that you will make as an Operational Risk Management (ORM) professional this week span every hour of your waking day. The portfolio of decisions to trust involve other people, processes, machines, computers and rules. As these words are typed on this computing machine from Apple, many more decisions have already been made about trust.

A recent visit to a California symposium on "Cyber 2026," looked into the crystal ball on how our society and environment will evolve in the next ten years. Topics included the threat landscape and our levels of machine learning hygiene. The Internet-of-Things (IoT) was mentioned along with the latest on adding more integration with your "Smart Car" and your "Smart Phone". This is just the beginning.

What needs to happen next? The dialogue on digital trust is now becoming a prominent theme with significant effort occurring in the published press and on Amazon. Business units from pwc and Accenture are pivoting people, resources and thought leadership towards the topic for good reason. The next reengineering revolution is ready for prime time.

It has taken us the last ten years since 2006 to evolve with the cloud and the trust associated with handing over our data to a third party. We have migrated vital core software systems to be managed by AWS, Microsoft Azure and Google. These managed solutions provide the Small-to-Medium-Enterprise with the opportunity to scale their business without tremendous capital expenditure.

Yet we continue to find ourselves making daily and hourly decisions to trust, while interacting with computing machines with that back of the mind feeling, can this really be trusted? Should I click on this link in my e-mail? How shall I respond to this LinkedIn message from a person I have never met face-to-face? As humans we are making "Trust Decisions" without even thinking about the science and systems mechanics of what underlies the components and process. We just do it.

The rules. Now think about your daily routine and the
"Trust Decisions" you make. How often are your decisions to trust
intersecting with rules. Rules codified into laws. Rules codified into
software. Rules codified into religion. Our world is about rules and
how we either interact or ignore the rules:

A month
after a Los Angeles hospital was crippled by crypto-ransomware, another
hospital is in an "internal state of emergency" for the same reason.
Brian Krebs reports
that Methodist Hospital in Henderson, Kentucky, shut down its desktop
computers and Web-based systems in an effort to fight the spread of the Locky crypto-ransomware on the hospital's network.

Yesterday,
the hospital's IT staff posted a scrolling message at the top of
Methodist's website, announcing that "Methodist Hospital is currently
working in an Internal State of Emergency due to a Computer Virus that
has limited our use of electronic web-based services.

Unfortunately, the trust decisions that we make each day can be catastrophic. Whether it be online, or because we are just following the rules in Brussels:

Although this nation of 11.2 million has sent more foreign fighters per capita to the Islamic State than any other country in Europe, Belgium has a relatively small security apparatus. Brussels, the capital, is home to 2,500 international agencies and organizations, including NATO and the E.U. headquarters. Yet nationwide, the Belgian federal police have a total force of approximately 12,000.

The Belgian police have also been hampered by bizarre rules. According to Belgian Justice Minister Koen Geens, just two days after the Paris attacks Abdeslam was “likely in a flat in Molenbeek.” But because of the country’s penal code, which prohibits raids between 9 p.m. and 5 a.m. unless a crime is in progress or in case of fire, police were ordered to wait until dawn to pursue him. By then, Abdeslam was nowhere to be seen.

As we accelerate towards 2026 and beyond, it will require us to better design our systems, society and the rules associated with operating our cities, companies and countries. How can we hope to achieve this without understanding the root cause and the outcomes of our trust decisions? How will we reengineer our software to assist the human or artificial intelligence (AI) in writing the rules that shall "Enable Digital Trust of Global Enterprises".

The pace of technological change has far surpassed our ability to write the new rules for our next generation and beyond as humans alone. We shall now embark on a purposeful mission to enlighten our leadership and the engineers of our vast digital environments, on how to reengineer our rules, for the safety, security and privacy of a more certain future making our daily trust decisions.

20 March 2016

On the other end of a planned cyber threat are the motives and plans by a person. Sometimes that person puts into play the use of a "Bot" to carry out many of their planned steps in their scheme. Operational Risk Management (ORM) professionals have been classifying these cybercriminals for a decade or more yet even now in 2016 they are getting more formal profiles:

BAE Systems, the London-based, multinational security company, recently released profiles of “six prominent types of cybercriminals” and detailed how they could hurt companies around the globe, officials say.Threat intelligence experts at BAE Systems have compiled a list, “The Unusual Suspects,” that has been created from “research that uncovers the motivations and methods of the most common types of cybercriminals,” according to BAE. “The intention of the campaign is to help enterprises understand the various enemies they face so they can better defend against cyberattacks.” BAE Systems officials have profiled six cybercriminal types:

The Mule – naive opportunists that may not even realize they work for criminal gangs to launder money;

The Professional – career criminals who work 9-to-5 in the digital shadows;

The Nation State Actor – individuals who work directly or indirectly for their government to steal sensitive information and disrupt enemies’ capabilities;

The Activist – motivated to change the world via questionable means;

The Getaway – the youthful teenager who can escape a custodial sentence due to their age;

And The Insider – disillusioned, blackmailed or even over-helpful employees operating from within the walls of their own company.

These individuals and groups have caused billions of dollars in losses and caused significant harm to millions of people and organizations. Now what?

It will be many more years to come, before the laws catch-up to the technology and those who use the vector of the Internet to carry out their crimes against humanity. Law enforcement has their hands continually tied by the laws and the geographic challenges of a global epidemic. Governments and politicians are in constant battle over the privacy vs. security philosophy and all the legal issues.

While the wheels of Parliament, or the U.S. Congress slowly turn and the mechanisms for law enforcement become more robust for evidence collection, investigations and prosecutions, there are significant strategies of resilience that we must focus our respective vigilance. It is not anything new per se, just a renewed emphasis and a new commitment to redesigning our digital environments. We can do better.

For now, what if we just pick one cybercriminal type to focus on. The "Insider".

The "Insider" is most likely in almost every formal organization today, working diligently to mask and perpetuate their goals until they are revealed. It is your "Duty of Care" to continuously deter, detect, defend and document within your enterprise. The "Insider" could be anyone and so how can the organization work ever more so vigilantly?

It begins at the core of the business and the culture that surrounds those principles within your company, your team or your relationship with suppliers. The environment you build and sustain shall have the transparency and the elements necessary to sustain a culture where the "Insider" is incapable of operating. Where the culture itself, makes the environment impossible for the "Insider" to operate without disclosure.

We would encourage Operational Risk Management (ORM) professionals to incorporate new found strategies, new management tools and a renewed effort to extinguish the "Insider" threat across the globe. The best way we can do this today, is to work on the culture and to establish the foundations for future "Trust Decisions" within the enterprise. The root of changing the culture and achieving the desired future environment, begins with every single decision to trust.

The journey ahead will be long and full of new found challenges. The vision of the future and the outcomes received will soon be more apparent. Now the real work begins to start the journey with your own organization, with each person and understanding the environment and culture you seek. And remember:

12 March 2016

The reengineering of the Internet is now underway for our next generation beyond the millennials. The unification of corporate software development and information security teams are experiencing a deja vu and reminiscent of scenes from the 1993 movie "Groundhog Day." Operational Risk Management (ORM) is hopeful that we are having a new resurgence of software vulnerability management thinking. Why?

"A weather man is reluctantly sent to cover a story about a weather forecasting "rat" (as he calls it). This is his fourth year on the story, and he makes no effort to hide his frustration. On awaking the 'following' day he discovers that it's Groundhog Day again, and again, and again. First he uses this to his advantage, then comes the realization that he is doomed to spend the rest of eternity in the same place, seeing the same people do the same thing EVERY day." --Groundhog Day
We are seeing the reunification of 1990's Software Quality Assurance (SQA) thinking, combined with the rigor of new 21st century rapid software development disciplines. It is called "Rugged DevOps." Application development life cycles are getting shorter these days. That is because modern day software development life cycles are taking a more component-based approach, with the reuse of standardized software capabilities. This makes sense, as long as the use of software quality assurance tools and services are not abandoned and new tools and processes are embraced.

DevOps practices can only increase speed and quality up to a point without security and risk (S&R) pros' expertise. Old application security practices hinder speedy releases, and security vulnerabilities represent defects that can leave a company open to cyberattacks. But DevOps practitioners can leap forward with both increased speed and quality by including S&R pros in DevOps feedback loops and including security practices in the automated life cycle. These new practices are called rugged DevOps. This report presents the seven main principles of rugged DevOps so I&O pros and developers can break down barriers with S&R pros and achieve faster releases with stronger application security.

In 2007, a class action lawsuit was filed in the United States District Court of the Northern District of California against Facebook on behalf of 3.6 million users of Facebook concerning its “Beacon” program. KamberLaw represented the plaintiffs in this action and Cooley LLP represented Facebook. This suit was settled in 2009 and was granted final approval by the Hon. Richard Seeborg in March 2010. As part of the settlement, the parties created the Foundation (the Digital Trust Foundation) “the purpose of which shall be to fund projects and initiatives that promote the cause of online privacy, safety, and security.” The case settled for $9.5 million, with the Foundation receiving approximately $6.7 million after attorney’s fees, payments to plaintiffs, and administrative costs. There were four objectors to the settlement, two of whom appealed the approval to the Ninth Circuit Court of Appeals and subsequently the Supreme Court. But ultimately, in November 2013, the appeals were rejected and the Foundation was funded. The Foundation will distribute more than $6 million and will close its doors once all of the grants have been distributed and completed.

The corporate Board of Directors conversations about the topic of "Digital Trust" is now ongoing and the subject of new business units. Security vs. Privacy has been a recent media frenzy between some of our technology companies and the U.S. government. Your elected officials in the U.S. House of Representatives are also on the hot seat now, to produce new relevant legislation. The courts are adding more privacy and data breach cases to the docket each week. The "Digital Equilibrium Project" is being established and will hopefully include an international set of stakeholders.

Authoring the rules that everyone understands and everyone can agree on, sets the stage or playing field for the environment of competition to engage with some sense of civility. Rules will be broken in plain sight and the referee (law enforcement, judges, courts, juries) will impose a penalty, while potentially millions of people watch live. Is it a penalty kick or just a loss of down?

Think global. Think at the speed of light. Think about the trust of e-commerce transactions where millions of people rely on our computing machines every waking minute of the day. Where Zettabytes of data are in use. The rules on the "Digital Playing Field" are vital to our future social and economic well being.

"Rugged DevOps" is another and necessary component of a safe, private and secure Internet ecosystem. Operational Risk Management (ORM) professionals are evermore concerned, with the root cause of our current Privacy vs. (soon to be "And") Security headlines. Digital Trust is hard to achieve and yet easy to forfeit. It is time for us to begin "Reengineering for our Next Generation".

05 March 2016

"Context and Proportionality do not translate to Zeros and Ones." This was a key take away from the 2016 RSA Conference last week in San Francisco. Thousands of Operational Risk Management (ORM) professionals attended to listen to speakers with titles such as Attorney General, Secretary of Defense and Chief Technology Officer.

Perhaps more important however, were the actual practitioners in the legal system and those "Quiet Professionals" responsible for our national security, who were clearly outlining the digital landscape and our significant challenges ahead. For our nation and the future of our social and economic destiny.

The software engineers and companies who are writing millions of lines of software code are at risk. Here is why. Context and Proportionality do not translate to Zeros and Ones because lawyers are writing words with "Semantically Intentionally Ambiguous Meaning" (SIAM), in the pursuit of achieving digital trust. Privacy and security intent in the translation from lawyers to software engineers, has been lost for a long time.

How can we summarize the entirety of what just took place this past week at RSA:

Visibility

Threat Protection

Compliance

Data Security

These four pillars are where the industry is still categorized in the majority, yet we came across some very interesting companies and products that are creating a new buzz. Walking the halls and observing the presentations, the mobile computing generation was in full force. As everyone shuffled between sessions like the overcrowded high school hallways, the only safe location was on an escalator where you could stare at your iPhone for 20 seconds with a little peace. Can you imagine the amount of intellectual property intelligence being collected by competitors and adversaries using digital sensors and good old fashioned trade craft during the week?

So what? In the spirit of all the talk and debate, the sales and marketing, the presentations and powerpoint slides, what have we learned?

"Context and Proportionality do not translate to Zeros and Ones."

Why is this so important to grasp?

At a certain point in the accelerating evolution of technology innovation there are disruptive bifurcations. It means that the rise of a particular system achieves a point in time when instead of rising and growing on the "S" curve, the system begins its descent and erosion, until it is outdated or no longer trusted as a standard.

We are soon to reach a new bifurcation in the digital systems that run our businesses, markets and governments. The organizations who rely on the Internet in their daily operations need to adapt. Quickly. Those that are able to accomplish rapid reengineering will survive. And those who wait or miss the signals to adapt, will perish or become absorbed by the digital environment surrounding them.

About

Operational Risk is defined as the risk of loss resulting from inadequate or failed processes, people, and systems or from external events. The definition includes legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes exposure to litigation from all aspects of an institutions activities.

"The Only Thing Necessary For Evil To Triumph Is For Good Men To Do Nothing." --E. Burke